Skip to content

Commit

Permalink
Use crypto method flags; add tlsv1.0 wrapper; add wrapper tests
Browse files Browse the repository at this point in the history
  • Loading branch information
rdlowrey committed Feb 21, 2014
1 parent d0c9207 commit 3a9829a
Show file tree
Hide file tree
Showing 12 changed files with 569 additions and 164 deletions.
2 changes: 2 additions & 0 deletions ext/openssl/openssl.c
Original file line number Diff line number Diff line change
Expand Up @@ -1224,6 +1224,7 @@ PHP_MINIT_FUNCTION(openssl)
php_stream_xport_register("sslv2", php_openssl_ssl_socket_factory TSRMLS_CC);
#endif
php_stream_xport_register("tls", php_openssl_ssl_socket_factory TSRMLS_CC);
php_stream_xport_register("tlsv1.0", php_openssl_ssl_socket_factory TSRMLS_CC);
#if OPENSSL_VERSION_NUMBER >= 0x10001001L
php_stream_xport_register("tlsv1.1", php_openssl_ssl_socket_factory TSRMLS_CC);
php_stream_xport_register("tlsv1.2", php_openssl_ssl_socket_factory TSRMLS_CC);
Expand Down Expand Up @@ -1269,6 +1270,7 @@ PHP_MSHUTDOWN_FUNCTION(openssl)
#endif
php_stream_xport_unregister("sslv3" TSRMLS_CC);
php_stream_xport_unregister("tls" TSRMLS_CC);
php_stream_xport_unregister("tlsv1.0" TSRMLS_CC);
#if OPENSSL_VERSION_NUMBER >= 0x10001001L
php_stream_xport_unregister("tlsv1.1" TSRMLS_CC);
php_stream_xport_unregister("tlsv1.2" TSRMLS_CC);
Expand Down
58 changes: 58 additions & 0 deletions ext/openssl/tests/stream_crypto_flags_001.phpt
Original file line number Diff line number Diff line change
@@ -0,0 +1,58 @@
--TEST--
Basic bitwise stream crypto context flag assignment
--SKIPIF--
<?php
if (!extension_loaded("openssl")) die("skip");
if (!function_exists('pcntl_fork')) die("skip no fork");
--FILE--
<?php
$flags = STREAM_SERVER_BIND | STREAM_SERVER_LISTEN;
$ctx = stream_context_create(['ssl' => [
'local_cert' => __DIR__ . '/bug54992.pem',
'allow_self_signed' => true
]]);
$server = stream_socket_server('ssl://127.0.0.1:64321', $errno, $errstr, $flags, $ctx);
var_dump($server);

$pid = pcntl_fork();
if ($pid == -1) {
die('could not fork');
} else if ($pid) {

// Base SSL context values
$sslCtxVars = array(
'verify_peer' => TRUE,
'cafile' => __DIR__ . '/bug54992-ca.pem',
'CN_match' => 'bug54992.local', // common name from the server's "local_cert" PEM file
);

// SSLv3
$ctxCopy = $sslCtxVars;
$ctxCopy['crypto_method'] = STREAM_CRYPTO_METHOD_SSLv3_CLIENT;
$ctx = stream_context_create(array('ssl' => $ctxCopy));
var_dump(stream_socket_client("ssl://127.0.0.1:64321", $errno, $errstr, 1, STREAM_CLIENT_CONNECT, $ctx));

// TLSv1
$ctxCopy = $sslCtxVars;
$ctxCopy['crypto_method'] = STREAM_CRYPTO_METHOD_TLSv1_0_CLIENT;
$ctx = stream_context_create(array('ssl' => $ctxCopy));
var_dump(stream_socket_client("ssl://127.0.0.1:64321", $errno, $errstr, 1, STREAM_CLIENT_CONNECT, $ctx));

// TLS (any)
$ctxCopy = $sslCtxVars;
$ctxCopy['crypto_method'] = STREAM_CRYPTO_METHOD_TLS_CLIENT;
$ctx = stream_context_create(array('ssl' => $ctxCopy));
var_dump(stream_socket_client("ssl://127.0.0.1:64321", $errno, $errstr, 1, STREAM_CLIENT_CONNECT, $ctx));

} else {
@pcntl_wait($status);
@stream_socket_accept($server, 1);
@stream_socket_accept($server, 1);
@stream_socket_accept($server, 1);
}
--EXPECTF--
resource(%d) of type (stream)
resource(%d) of type (stream)
resource(%d) of type (stream)
resource(%d) of type (stream)

67 changes: 67 additions & 0 deletions ext/openssl/tests/stream_crypto_flags_002.phpt
Original file line number Diff line number Diff line change
@@ -0,0 +1,67 @@
--TEST--
TLSv1.1 and TLSv1.2 bitwise stream crypto flag assignment
--SKIPIF--
<?php
if (!extension_loaded("openssl")) die("skip");
if (!function_exists('pcntl_fork')) die("skip no fork");
if (OPENSSL_VERSION_NUMBER < 0x10001001) die("skip OpenSSLv1.0.1 required");
--FILE--
<?php
$flags = STREAM_SERVER_BIND | STREAM_SERVER_LISTEN;
$ctx = stream_context_create(['ssl' => [
'local_cert' => __DIR__ . '/bug54992.pem',
'allow_self_signed' => true
]]);
$server = stream_socket_server('ssl://127.0.0.1:64321', $errno, $errstr, $flags, $ctx);
var_dump($server);

$pid = pcntl_fork();
if ($pid == -1) {
die('could not fork');
} else if ($pid) {

// Base SSL context values
$sslCtxVars = array(
'verify_peer' => TRUE,
'cafile' => __DIR__ . '/bug54992-ca.pem',
'CN_match' => 'bug54992.local', // common name from the server's "local_cert" PEM file
);

// TLSv1
$ctxCopy = $sslCtxVars;
$ctxCopy['crypto_method'] = STREAM_CRYPTO_METHOD_TLSv1_0_CLIENT;
$ctx = stream_context_create(array('ssl' => $ctxCopy));
var_dump(stream_socket_client("ssl://127.0.0.1:64321", $errno, $errstr, 1, STREAM_CLIENT_CONNECT, $ctx));

// TLSv1.1
$ctxCopy = $sslCtxVars;
$ctxCopy['crypto_method'] = STREAM_CRYPTO_METHOD_TLSv1_1_CLIENT;
$ctx = stream_context_create(array('ssl' => $ctxCopy));
var_dump(stream_socket_client("ssl://127.0.0.1:64321", $errno, $errstr, 1, STREAM_CLIENT_CONNECT, $ctx));

// TLSv1.2
$ctxCopy = $sslCtxVars;
$ctxCopy['crypto_method'] = STREAM_CRYPTO_METHOD_TLSv1_2_CLIENT;
$ctx = stream_context_create(array('ssl' => $ctxCopy));
var_dump(stream_socket_client("ssl://127.0.0.1:64321", $errno, $errstr, 1, STREAM_CLIENT_CONNECT, $ctx));

// TLS (any)
$ctxCopy = $sslCtxVars;
$ctxCopy['crypto_method'] = STREAM_CRYPTO_METHOD_TLS_CLIENT;
$ctx = stream_context_create(array('ssl' => $ctxCopy));
var_dump(stream_socket_client("ssl://127.0.0.1:64321", $errno, $errstr, 1, STREAM_CLIENT_CONNECT, $ctx));

} else {
@pcntl_wait($status);
@stream_socket_accept($server, 1);
@stream_socket_accept($server, 1);
@stream_socket_accept($server, 1);
@stream_socket_accept($server, 1);
}
--EXPECTF--
resource(%d) of type (stream)
resource(%d) of type (stream)
resource(%d) of type (stream)
resource(%d) of type (stream)
resource(%d) of type (stream)

68 changes: 68 additions & 0 deletions ext/openssl/tests/stream_crypto_flags_003.phpt
Original file line number Diff line number Diff line change
@@ -0,0 +1,68 @@
--TEST--
Server bitwise stream crypto flag assignment
--SKIPIF--
<?php
if (!extension_loaded("openssl")) die("skip");
if (!function_exists('pcntl_fork')) die("skip no fork");
if (OPENSSL_VERSION_NUMBER < 0x10001001) die("skip OpenSSLv1.0.1 required");
--FILE--
<?php
$flags = STREAM_SERVER_BIND | STREAM_SERVER_LISTEN;
$ctx = stream_context_create(['ssl' => [
'local_cert' => __DIR__ . '/bug54992.pem',
'allow_self_signed' => true,

// Only accept SSLv3 and TLSv1.2 connections
'crypto_method' => STREAM_CRYPTO_METHOD_SSLv3_SERVER | STREAM_CRYPTO_METHOD_TLSv1_2_SERVER
]]);
$server = stream_socket_server('ssl://127.0.0.1:64321', $errno, $errstr, $flags, $ctx);
var_dump($server);

$pid = pcntl_fork();
if ($pid == -1) {
die('could not fork');
} else if ($pid) {

// Base SSL context values
$sslCtxVars = array(
'verify_peer' => TRUE,
'cafile' => __DIR__ . '/bug54992-ca.pem',
'CN_match' => 'bug54992.local', // common name from the server's "local_cert" PEM file
);

// TLSv1.2
$ctxCopy = $sslCtxVars;
$ctxCopy['crypto_method'] = STREAM_CRYPTO_METHOD_TLSv1_2_CLIENT;
$ctx = stream_context_create(array('ssl' => $ctxCopy));
var_dump(stream_socket_client("ssl://127.0.0.1:64321", $errno, $errstr, 1, STREAM_CLIENT_CONNECT, $ctx));

// SSLv3
$ctxCopy = $sslCtxVars;
$ctxCopy['crypto_method'] = STREAM_CRYPTO_METHOD_SSLv3_CLIENT;
$ctx = stream_context_create(array('ssl' => $ctxCopy));
var_dump(stream_socket_client("ssl://127.0.0.1:64321", $errno, $errstr, 1, STREAM_CLIENT_CONNECT, $ctx));

// TLSv1 (should fail)
$ctxCopy = $sslCtxVars;
$ctxCopy['crypto_method'] = STREAM_CRYPTO_METHOD_TLSv1_0_CLIENT;
$ctx = stream_context_create(array('ssl' => $ctxCopy));
var_dump(@stream_socket_client("ssl://127.0.0.1:64321", $errno, $errstr, 1, STREAM_CLIENT_CONNECT, $ctx));

// TLSv1.1 (should fail)
$ctxCopy = $sslCtxVars;
$ctxCopy['crypto_method'] = STREAM_CRYPTO_METHOD_TLSv1_1_CLIENT;
$ctx = stream_context_create(array('ssl' => $ctxCopy));
var_dump(@stream_socket_client("ssl://127.0.0.1:64321", $errno, $errstr, 1, STREAM_CLIENT_CONNECT, $ctx));

} else {
@pcntl_wait($status);
@stream_socket_accept($server, 1);
@stream_socket_accept($server, 1);
}
--EXPECTF--
resource(%d) of type (stream)
resource(%d) of type (stream)
resource(%d) of type (stream)
bool(false)
bool(false)

67 changes: 67 additions & 0 deletions ext/openssl/tests/stream_crypto_flags_005.phpt
Original file line number Diff line number Diff line change
@@ -0,0 +1,67 @@
--TEST--
Specific protocol method specification
--SKIPIF--
<?php
if (!extension_loaded("openssl")) die("skip");
if (!function_exists('pcntl_fork')) die("skip no fork");
--FILE--
<?php
$flags = STREAM_SERVER_BIND | STREAM_SERVER_LISTEN;
$ctx = stream_context_create(['ssl' => [
'local_cert' => __DIR__ . '/bug54992.pem',
'allow_self_signed' => true,
'crypto_method' => STREAM_CRYPTO_METHOD_TLSv1_0_SERVER
]]);

$server = stream_socket_server('ssl://127.0.0.1:64321', $errno, $errstr, $flags, $ctx);
var_dump($server);

$pid = pcntl_fork();
if ($pid == -1) {
die('could not fork');
} else if ($pid) {

// Base SSL context values
$sslCtxVars = array(
'verify_peer' => FALSE,
'cafile' => __DIR__ . '/bug54992-ca.pem',
'CN_match' => 'bug54992.local', // common name from the server's "local_cert" PEM file
);

// Should fail because the SSLv23 hello method is not supported
$ctxCopy = $sslCtxVars;
$ctx = stream_context_create(array('ssl' => $ctxCopy));
var_dump(@stream_socket_client("ssl://127.0.0.1:64321"));

// Should fail because the TLSv1.1 hello method is not supported
$ctxCopy = $sslCtxVars;
$ctxCopy['crypto_method'] = STREAM_CRYPTO_METHOD_TLSv1_1_CLIENT;
$ctx = stream_context_create(array('ssl' => $ctxCopy));
var_dump(@stream_socket_client("ssl://127.0.0.1:64321"));

// Should fail because the TLSv1.2 hello method is not supported
$ctxCopy = $sslCtxVars;
$ctxCopy['crypto_method'] = STREAM_CRYPTO_METHOD_TLSv1_2_CLIENT;
$ctx = stream_context_create(array('ssl' => $ctxCopy));
var_dump(@stream_socket_client("ssl://127.0.0.1:64321"));

// Should succeed because we use the same TLSv1 hello
$ctxCopy = $sslCtxVars;
$ctxCopy['crypto_method'] = STREAM_CRYPTO_METHOD_TLSv1_0_CLIENT;
$ctx = stream_context_create(array('ssl' => $ctxCopy));
var_dump(stream_socket_client("ssl://127.0.0.1:64321", $errno, $errstr, 30, STREAM_CLIENT_CONNECT, $ctx));

} else {
@pcntl_wait($status);
@stream_socket_accept($server, 1);
@stream_socket_accept($server, 1);
@stream_socket_accept($server, 1);
@stream_socket_accept($server, 1);
}
--EXPECTF--
resource(%d) of type (stream)
bool(false)
bool(false)
bool(false)
resource(%d) of type (stream)

1 change: 0 additions & 1 deletion ext/openssl/tests/streams_crypto_method.phpt
Original file line number Diff line number Diff line change
Expand Up @@ -56,4 +56,3 @@ EOS;
?>
--EXPECTF--
Hello World!

47 changes: 47 additions & 0 deletions ext/openssl/tests/tlsv1.0_wrapper.phpt
Original file line number Diff line number Diff line change
@@ -0,0 +1,47 @@
--TEST--
tlsv1.0 stream wrapper
--SKIPIF--
<?php
if (!extension_loaded("openssl")) die("skip");
if (OPENSSL_VERSION_NUMBER < 0x10001001) die("skip OpenSSL 1.0.1 required");
if (!function_exists('pcntl_fork')) die("skip no fork");
--FILE--
<?php
$flags = STREAM_SERVER_BIND|STREAM_SERVER_LISTEN;
$ctx = stream_context_create(array('ssl' => array(
'local_cert' => __DIR__ . '/streams_crypto_method.pem',
)));

$server = stream_socket_server('tlsv1.0://127.0.0.1:64321', $errno, $errstr, $flags, $ctx);
var_dump($server);

$pid = pcntl_fork();
if ($pid == -1) {
die('could not fork');
} elseif ($pid) {
$flags = STREAM_CLIENT_CONNECT;
$ctx = stream_context_create(array('ssl' => array(
'verify_peer' => false,
'verify_host' => false
)));

$client = stream_socket_client("tlsv1.0://127.0.0.1:64321", $errno, $errstr, 1, $flags, $ctx);
var_dump($client);

$client = @stream_socket_client("sslv3://127.0.0.1:64321", $errno, $errstr, 1, $flags, $ctx);
var_dump($client);

$client = @stream_socket_client("tlsv1.2://127.0.0.1:64321", $errno, $errstr, 1, $flags, $ctx);
var_dump($client);

} else {
@pcntl_wait($status);
for ($i=0; $i < 3; $i++) {
@stream_socket_accept($server, 1);
}
}
--EXPECTF--
resource(%d) of type (stream)
resource(%d) of type (stream)
bool(false)
bool(false)
47 changes: 47 additions & 0 deletions ext/openssl/tests/tlsv1.1_wrapper.phpt
Original file line number Diff line number Diff line change
@@ -0,0 +1,47 @@
--TEST--
tlsv1.1 stream wrapper
--SKIPIF--
<?php
if (!extension_loaded("openssl")) die("skip");
if (OPENSSL_VERSION_NUMBER < 0x10001001) die("skip OpenSSL 1.0.1 required");
if (!function_exists('pcntl_fork')) die("skip no fork");
--FILE--
<?php
$flags = STREAM_SERVER_BIND|STREAM_SERVER_LISTEN;
$ctx = stream_context_create(array('ssl' => array(
'local_cert' => __DIR__ . '/streams_crypto_method.pem',
)));

$server = stream_socket_server('tlsv1.1://127.0.0.1:64321', $errno, $errstr, $flags, $ctx);
var_dump($server);

$pid = pcntl_fork();
if ($pid == -1) {
die('could not fork');
} elseif ($pid) {
$flags = STREAM_CLIENT_CONNECT;
$ctx = stream_context_create(array('ssl' => array(
'verify_peer' => false,
'verify_host' => false
)));

$client = stream_socket_client("tlsv1.1://127.0.0.1:64321", $errno, $errstr, 1, $flags, $ctx);
var_dump($client);

$client = @stream_socket_client("sslv3://127.0.0.1:64321", $errno, $errstr, 1, $flags, $ctx);
var_dump($client);

$client = @stream_socket_client("tlsv1.2://127.0.0.1:64321", $errno, $errstr, 1, $flags, $ctx);
var_dump($client);

} else {
@pcntl_wait($status);
for ($i=0; $i < 3; $i++) {
@stream_socket_accept($server, 1);
}
}
--EXPECTF--
resource(%d) of type (stream)
resource(%d) of type (stream)
bool(false)
bool(false)
Loading

0 comments on commit 3a9829a

Please sign in to comment.